Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-1000614 Vulnerability in maven package org.onosproject:onos-netconf-provider-alarm

Description

ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.

Remediation

References

http://gms.cl0udz.com/ONOS_Vul.pdf

https://gerrit.onosproject.org/#/c/18779/

Related Vulnerabilities

CVE-2017-16140 Vulnerability in npm package lab6.brit95

CVE-2018-3721 Vulnerability in npm package lodash.merge

CVE-2021-39176 Vulnerability in npm package detect-character-encoding

CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core_3

CVE-2023-45279 Vulnerability in maven package org.yamcs:yamcs-core

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Issue Tracking Patch